Fixed linux powershell installation and execution

CODE_OF_CONDUCT.md

@@ -2,45 +2,72 @@
 
 ## Our Pledge
 
-In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+""In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age,
+body size, disability, ethnicity, gender identity and expression, level of
+experience, nationality, personal appearance, race, religion, or sexual
+identity and orientation.
 
 ## Our Standards
 
 Examples of behavior that contributes to creating a positive environment include:
 
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
 
 Examples of unacceptable behavior by participants include:
 
-* The use of sexualized language or imagery and unwelcome sexual attention or advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a professional setting
+- The use of sexualized language or imagery and unwelcome sexual attention or advances
+- Trolling, insulting/derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+- Other conduct which could reasonably be considered inappropriate in a
+  professional setting
 
 ## Our Responsibilities
 
-Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
 
-Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
 
 ## Scope
 
-This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an
+appointed representative at an online or offline event. Representation of a
+project may be further defined and clarified by project maintainers.
 
 ## Enforcement
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at research at redcanary.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at research at redcanary.com. The
+project team will review and investigate all complaints, and will respond in a
+way that it deems appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an
+incident. Further details of specific enforcement policies may be posted
+separately.
 
-Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
 
 ## Attribution
 
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
 
 [homepage]: http://contributor-covenant.org
 [version]: http://contributor-covenant.org/version/1/4/

README.md

@@ -1,5 +1,4 @@
-ansible_atomic_red_team
-=========
+# ansible_atomic_red_team
 
 A role to execute atomic red team tests.
 
@@ -22,11 +21,12 @@ or involve extended dependencies or resources beyond a single VM (eg cloud
 tests). These tests are filtered out at the TID level (eg, matching
 `T[0-9]{4}(\.?[0-9]{3})?`), but can still be specified by TID+GUID if desired.
 
-## Why another way to execute Atomic Red Team Tests?
+## Why another way to execute Atomic Red Team Tests
 
-There are several exellent execution frameworks for Atomic Red Team, but we desired easy
-integreation between our test framework and other devops tools that create VMs,
-configure sensors and prerequisites, and run other non-AtomicRedTeam tests.
+There are several exellent execution frameworks for Atomic Red Team, but we
+desired easy integreation between our test framework and other devops tools
+that create VMs, configure sensors and prerequisites, and run other
+non-AtomicRedTeam tests.
 
 Ansible and Terraform allow us to meet these goals for fully automated
 testing. Terraform creates VMs provisioned by Ansible. Ansible playbooks run
@@ -46,43 +46,45 @@ query the Atomic Red Team test inventory CSV files on github and create/update
 all execpt "banned" TIDs.
 
 If you want to disable this fetch from github on the machine running the
-playbook, set `disable_fetch_art_index: true`. This will cause
-`tasks/main.yml` to fall back to `vars/art-tids.yml` which can be manually
-updates with `vars/update-art-tids.sh`
+playbook, set `ansible_atomic_red_team_disable_fetch_art_index: true`.
+This will cause `tasks/main.yml` to fall back to `vars/art-tids.yml` which
+can be manually updates with `vars/update-art-tids.sh`
 
-
-Role Variables
---------------
+## Role Variables
 
 in `defaults/main.yml`:
-- `banned_tids_linux`: annotated list of TIDs to *NOT* run
-- `art_tids_linux`: list of the linux TIDs available in Atomic Red Team
-- `art_tids_mac`: list of the mac TIDs available in Atomic Red Team
-- `art_tids_windows`: list of the windows TIDs available in Atomic Red Team
-- `art_repository_owner: redcanaryco` - override with the github repo owner for the atomic_red_team repo to use.
-- `art_branch: master` - override with the branch to use
 
+- `ansible_atomic_red_team_banned_tids_linux`: annotated list of TIDs to _NOT_ run
+- `ansible_atomic_red_team_tids_linux`: list of the linux TIDs available in
+  Atomic Red Team
+- `ansible_atomic_red_team_tids_macos`: list of the mac TIDs available in
+  Atomic Red Team
+- `ansible_atomic_red_team_tids_windows`: list of the windows TIDs available in
+  Atomic Red Team
+- `ansible_atomic_red_team_repository_owner: redcanaryco` - override with the
+  github repo owner for the atomic_red_team repo to use.
+- `ansible_atomic_red_team_branch: master` - override with the branch to use
 
-Example Playbook
-----------------
+## Example Playbook
 
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+Including an example of how to use your role (for instance, with variables
+passed in as parameters) is always nice for users too:
 
 ```yaml
 ---
 - hosts: all
   gather_facts: True
   become: True
   tasks:
-
     - include_role:
         name: ansible_atomic_red_team
-        # you cannot use become directly on include_role, but can control elevation using apply
+        # you cannot use become directly on include_role,
+        # but can control elevation using apply
         apply:
           become: True
       when: ansible_system == 'Linux'
       vars:
-        art_tids_linux:
+        ansible_atomic_red_team_tids_linux:
           - T1136.001
           - T1053.003
           - T1003.008-1,2,3
@@ -98,7 +100,7 @@ Including an example of how to use your role (for instance, with variables passe
           become: False
       when: ansible_system == 'Win32NT'
       vars:
-        art_tids_windows:
+        ansible_atomic_red_team_tids_windows:
           - T1027
           - T1053.005
           - T1547.001-1,2

defaults/main.yml

@@ -1,10 +1,10 @@
 ---
-disable_fetch_art_index: false
+ansible_atomic_red_team_disable_fetch_art_index: false
 
-art_repository_owner: redcanaryco
-art_branch: master
+ansible_atomic_red_team_repository_owner: redcanaryco
+ansible_atomic_red_team_branch: master
 
-banned_tids_linux:
+ansible_atomic_red_team_banned_tids_linux:
   - T1018     # slow ping scan
   - T1046     # nmap
   - T1070.004 # delete filesystem
@@ -20,22 +20,33 @@ banned_tids_linux:
   - T1526     # Azure
   - T1529     # reboot/shutdown
   - T1530     # cloud
+  - T1562.001 # breaks the tests
   - T1562.006 # auditd changes (may break some telemetry collection)
   - T1562.008 # cloud logging changes
   - T1574.006 # Dynamic Linker Hijacking (requires manual cleanup / testing - might break subsequent tests)
   - T1611     # container-based, needs prereqs, and hangs/timeout
 
-banned_tids_macos:
+ansible_atomic_red_team_banned_tids_macos:
   - T1485     # impact - data destruction
   - T1529     # reboot/shutdown
 
-banned_tids_windows:
+ansible_atomic_red_team_banned_tids_windows:
   - T1485     # impact - data destruction
   - T1529     # reboot/shutdown
 
 # these are updated by tasks/gather-art-tids.yml which polls github to write
 # playbook_dir/art-tids.yml as a fallback, the tasks/main.yml will load
 # vars/art-tids.yml, which can be manually updated with vars/update-art-tids.sh
-art_tids_linux: []
-art_tids_macos: []
-art_tids_windows: []
+ansible_atomic_red_team_tids_linux: []
+ansible_atomic_red_team_tids_macos: []
+ansible_atomic_red_team_tids_windows: []
+
+# Execute the ART tests
+ansible_atomic_red_team_execute: false
+
+# PowerShell version to install (if needed)
+ansible_atomic_red_team_pwsh_version: "7.4.1"
+ansible_atomic_red_team_nix_pwsh_path: "/opt/microsoft/powershell/7"
+
+# Timeout in seconds for each test
+ansible_atomic_red_team_timeout: 20

example-playbook.yml

@@ -17,7 +17,7 @@
           become: true
       when: ansible_system == 'Linux'
       vars:
-        art_tids_linux:
+        ansible_atomic_red_team_tids_linux:
           - T1136.001
           - T1053.003
           - T1003.008-1,2,3
@@ -34,10 +34,10 @@
           become: false
       when: ansible_system == 'Win32NT'
       vars:
-        art_tids_windows:
+        ansible_atomic_red_team_tids_windows:
           # https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
           - T1553.005:c2587b8d-743d-4985-aa50-c83394eaeb68 # download and mount iso, run lnk
-          - T1016 # System Network Configurration Discovery - 8 tests
+          - T1016 # System Network Configuration Discovery - 8 tests
           - T1057 # Process Discovery - 5 tests
           - T1219-2 # Install Anydesk
           - T1087.002-5,6,7,8 # Account Discovery(domain)

vars/update-art-tids.sh → files/update-art-tids.sh

@@ -6,13 +6,13 @@ branch="master"
 
 echo "---" | tee art-tids.yml
 
-function fetch-art-index-to-yml () {
+function fetch-art-index-to-yml() {
     url="https://github.com/${ghuser}/atomic-red-team/raw/${branch}/atomics/Indexes/Indexes-CSV/${1}-index.csv"
-    tidlist=( $(curl -sL $url | awk -F, '/T1/{print $2}' | sort -u) )
-        echo "art_tids_${1}:" | tee -a art-tids.yml
-        for tid in ${tidlist[*]}; do
-            echo "  - ${tid}"
-        done | tee -a art-tids.yml
+    tidlist=("$(curl -sL "$url" | awk -F, '/T1/{print $2}' | sort -u)")
+    echo "art_tids_${1}:" | tee -a art-tids.yml
+    for tid in "${tidlist[@]}"; do
+        echo "  - ${tid}"
+    done | tee -a art-tids.yml
 }
 
 for os in linux macos windows; do

requirements.yml

@@ -0,0 +1,4 @@
+---
+collections:
+  - name: ansible.windows
+  - name: cowdogmoo.workstation

tasks/gather-art-tids.yml

@@ -1,11 +1,35 @@
 ---
 - name: Set Indexes-CSV url
   ansible.builtin.set_fact:
-    index_csv_url: "https://github.com/{{ art_repository_owner }}/atomic-red-team/raw/{{ art_branch }}/atomics/Indexes/Indexes-CSV/"
+    index_csv_url: >-
+      {{
+      'https://github.com/' +
+      ansible_atomic_red_team_repository_owner +
+      '/atomic-red-team/raw/' +
+      ansible_atomic_red_team_branch +
+      '/atomics/Indexes/Indexes-CSV/'
+      }}
+
+- name: Create temporary directory
+  ansible.builtin.tempfile:
+    state: directory
+    suffix: build
+  delegate_to: localhost
+  register: art_tids
+  when: not ansible_atomic_red_team_disable_fetch_art_index
+
+- name: Copy emergency bash script
+  ansible.builtin.copy:
+    src: "update-art-tids.sh"
+    dest: "{{ art_tids.path }}/update-art-tids.sh"
+    mode: '0755'
+  delegate_to: localhost
+  become: false
+  when: not ansible_atomic_red_team_disable_fetch_art_index
 
 - name: Gather and write art-tids.yml
   ansible.builtin.blockinfile:
-    dest: "{{ playbook_dir }}/art-tids.yml"
+    dest: "{{ art_tids.path }}/art-tids.yml"
     create: true
     mode: "0644"
     block: |
@@ -18,7 +42,7 @@
       {%-   endif -%}
       {%- endfor -%}
       {#- build a dict with this for to_nice_yaml so it will indent correctly -#}
-      {%- set yamloutput = dict(art_tids_windows=list) -%}
+      {%- set yamloutput = dict(ansible_atomic_red_team_tids_windows=list) -%}
       {{ yamloutput | to_nice_yaml | indent(2) }}
       {%- set list = [] -%}
       {%- for line in lookup('ansible.builtin.url', index_csv_url + 'linux-index.csv', wantlist=True) -%}
@@ -28,8 +52,8 @@
       {%-     endif -%}
       {%-   endif -%}
       {%- endfor -%}
-      {%- set yamloutput = dict(art_tids_linux=list) -%}
+      {%- set yamloutput = dict(ansible_atomic_red_team_tids_linux=list) -%}
       {{ yamloutput | to_nice_yaml | indent(2) }}
   delegate_to: localhost
   become: false
-  when: not disable_fetch_art_index
+  when: not ansible_atomic_red_team_disable_fetch_art_index